Does NIS2 Apply to my organization?

Many organizations begin the NIS2 discussion by asking:

“Does this directive apply to us?”

Under NIS2, applicability is no longer driven by voluntary adoption or sector-specific registration. Instead, the directive applies automatically if an organization:

• Employs 50 or more people, or

• Generates €10 million or more in annual turnover,
  And

• Operates in a sector considered relevant to the stability of the economy, society, or critical infrastructure.
  

This means many organizations that never considered themselves critical infrastructure are now in scope by default—often without realizing it. NIS2 is therefore not something you “opt into.” It is something you must actively assess. Once NIS2 applies, the next question naturally follows:

“How critical are we in the eyes of the regulator?”

This is where NIS2 introduces a structured classification model:

• Essential Entities

• Important Entities

• Entities of Particular Importance (defined at national level)
  

This classification is not cosmetic. It determines how closely authorities may supervise you, how evidence of compliance can be demanded, and how severe enforcement actions may become. Here are the details about the above classifications.

Essential Entities: the entities in these sectors have severe economic or societal impact. They fall under strictest supervision including ex ante (ie., authorities can check, audit or demand evidence of compliance, even if nothing has gone wrong). It includes Energy, transport, banking, financial market infrastructure, health, Water, Digital Infrastructure, ICT Service Management, Public administration and Space.

Important Entities: The entities have lower criticality but are essential for economic/social stability. These include postal/courier services, waste management, manufacturing critical products (such as medical devices, electronics, computer, machinery, chemicals etc), food, digital providers (online marketplaces/search engines and social media platforms) and research organizations.

Entities of Particular Importance: EU allows each member state to classify additional entities as critical (National Discretion)

At this point, the discussion often shifts from “Are we in scope?” to a more uncomfortable question:

“What happens if we get this wrong?”

NIS2 introduces a fundamentally new enforcement mindset:

• Penalties are no longer symbolic

• Fines scale with global turnover

• And accountability moves beyond IT into the executive and board level
  

The more critical your classification, the stricter the supervision—and the higher the potential penalties. NIS2 introduces two major tier of fines:

For Essential Entities, whichever higher of the following:

• Up to 10 Million Euros or

• Up to 2% of Global annual Turnover

For Important Entities, whichever higher of the following:

• Up to 7 million Euros or

• Up to 1.4% of global annual turnover

The one most powerful change in NIS2 is that cybersecurity is not just an IT issue, it is a board-level duty. Executives (CIO, CISO, CEO and MD) can be held personally responsible and authorities may issue individual fines, impose temporary bans, and require mandatory cybersecurity training for management teams.